Find Sec Bugs Versions Save

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

version-1.13.0

2 months ago

Implemented enhancements:

  • Java 21 Support #723

Closed issues:

  • SpringEntityLeakDetector crashes with array types #679
  • Java 17 not working #678
  • Detect usage of Apache BeanUtils.copyProperties as dangerous #601

Merged pull requests:

version-1.12.0

2 years ago

This release includes a lot of small fixes. See the auto-generated for the complete changes. From those, here are two notable improvements:

  • Supports for JDK 17
  • Important fixes regarding signatures' files (Bug with generic )

In late 2021, the library log4j version 2 was vulnerable to JDNI/LDAP "injection". The Log4j2 project has been using FSB (at least once). I later found out that we had a small signature issue that could have warned of the Context.lookup() method risks. #670 for more info.

What's Changed

New Contributors

Full Changelog: https://github.com/find-sec-bugs/find-sec-bugs/compare/version-1.11.0...version-1.12.0

>md5sum findsecbugs-cli-1.12.0.zip
3b27a4374ac89146574a6318cfc53529 *findsecbugs-cli-1.12.0.zip

>sha1sum findsecbugs-cli-1.12.0.zip
cc382af0fae095afa7d41eb14d105fb909d8bc5b *findsecbugs-cli-1.12.0.zip

version-1.11.0

3 years ago

In this new release of Find Security Bugs (FSB), you'll find few new detectors long with improvement to existing ones. Here is a summary of what to expect from this update.

New detectors

A new experimental detector was created to highlight Unicode issue. Its report are shown only if you set the minimum confidence to Low (default setting is Medium). For applications integrating Groovy, a new detectors will find scripts being evaluate at runtime (analog to eval functions in scripting languages). Vert.x SQL api are now supported. Finally, Hardcoded passwords in JSch library are now detected.

Java unsafe deserialization

Deserialization detectors now support ObjectInput and ObjectInputStream. Thanks to @nichollt for the idea.

HTTP Parameter Pollution (URL Injection)

For application making outbound HTTP request, the recommended way to build URI/URL is to use the URIBuilder. This third party class provided a DSL that will behave similarly to prepare statements APIs. All parameters pass to this DSL is properly encoded. This allows FSB to remove false positive with confidence.

StringSubstitutor

StringSubstitutor / StrSubstitutor are now tracked properly for all injection detectors.

SpotBugs 4.0.0

This version is compatible with SpotBugs 4.0.0. The command line client (see attached package) is including the latest version.

Full Changelog

Implemented enhancements:

  • Scanning Kotlin doesnt work with gradle-plugin #598
  • HTTP parameter pollution False positive with URIBuilder (HTTPClient) #586
  • Improper handling of Unicode transformations #577
  • Add support for sort with -V in findsecbugs.sh #570
  • Java deserialization vulnerability not being discovered #563
  • False positive spring jdbctemplate SQL Injection #538
  • Detect hardcoded password for SSH private key #536
  • New Sink : Groovy Script Injection #483

Fixed bugs:

  • EmptyStackException error #546
  • RuntimeException when processing static method #541
  • "Error: missing bug code for keySECEMA " in FindSecBugs 1.10.0 #526
  • Incompatibility with SpotBugs 4.0.0 #525
  • Missing commons-codec library #602

Closed issues:

  • Restore Codecov integration #608
  • Restore Travis-CI on build on Pull Request #574
  • src/test/java/testcode/serial/ObjectDeserializationFalsePositive2.java:[10,8] error: no suitable constructor found for ASN1InputStream(no arguments) #557
  • How to remove “taint” for custom tld function? #555
  • java.lang.OutOfMemoryError: GC overhead limit exceeded #554
  • Enable 'Require HTTPS' on find-sec-bugs.github.io/ #544
  • False positive for unsafe comparison of hash that are susceptible to timing attack #558
  • SQL injection false positive when the source is an array. #529
  • String-value coming from an Enum causes SQL_INJECTION_JPA #491

Merged pull requests:

> md5sum findsecbugs-cli-1.11.0.zip
241c1f9138ee903d9d9f5e7cd00a93bf *findsecbugs-cli-1.11.0.zip

> sha1sum findsecbugs-cli-1.11.0.zip
910f38b746257d62de33ca83f257426e74e02033 *findsecbugs-cli-1.11.0.zip

version-1.10.1

4 years ago

This minor update is there to introduce a fix : https://github.com/find-sec-bugs/find-sec-bugs/issues/526

A new detector Pebble template injection is also added. Thanks to @sa160690.

Messages from many detectors were also updated. Multiple broken links or out-dated links were corrected. https://github.com/find-sec-bugs/find-sec-bugs/pull/528

> sha1sum findsecbugs-cli-1.10.1.zip
fad67bc6c31032dd3cf7419c1f4abe2376658757 *findsecbugs-cli-1.10.1.zip

> md5sum findsecbugs-cli-1.10.1.zip
1eecbef120b61e0ce4870c38fe28fccd *findsecbugs-cli-1.10.1.zip

version-1.10.0

4 years ago

New bug detectors (or important improvements)

  • Mass-assignment when using JPA or JDO entities
  • Leakage from entity when using JPA or JDO entities
  • Permissive CORS header allowing all origin (New coverage for Spring CorsRegistry)
  • Overly permissive file permissions (code doing equivalent operation to chmod 777)
  • Insecure SAML configuration affecting provider using OpenSAML API

This release is the result of various contributors : jie-lin, kulinacs, mkotyk, topolik, bananayong, nigredo-tori and thiyagu-7. With this release 19th release, we are reaching 51 contributors.

A status update was published about Find Security Bugs arrival in the OWASP family.

version-1.10.0 (2019-10-17)

Full Changelog

Implemented enhancements:

  • Fix code coverage badge + CI task #507
  • Detect if authorisation is missing from a RequestMapping #473
  • Support com/google/common/escape/Escaper as sanitizer #504
  • http://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE #482
  • Remove hard-coded "metadata" in FindBugsLauncher#buildFakePluginJar #479
  • Add PathTraversalSinks for java/nio/file/Files API #476
  • PATH_TRAVERSAL_IN detection #470
  • Weak Permissions (chmod 777) #438
  • Insecure SAML configuration in Spring #369
  • Add configurable metadataFolder in FindBugsLauncher #480 (Kidlike)
  • Add permissive CORS detector for CorsRegistration in Springboot #472 (Anemone95)

Fixed bugs:

  • Integration with Ant Script #493
  • Failed when build find-sec-bugs myself #379
  • findsecbugs.sh has windows line breaks #516
  • Unsupported class file major version 56 #512
  • SpringEntityLeakDetector throw s NPE #477
  • local-variable-index-rewrite-bug #475 (topolik)

Closed issues:

  • Unwrapping an encrypted key with non-random IV shouldn't trigger STATIC_IV #517
  • False-positive in URLCONNECTION_SSRF_FD #505
  • SQL Injection false positive with MessageFormat.format() #498
  • Spring Entity Leak Detector for collections #495
  • JSP Include with constant URL #481

Merged pull requests:

version-1.9.0

5 years ago

The project is now an OWASP project. After 7 years of development, this transition was made mainly to reiterate the project goal which is to provide a solid static analyzer accessible to all Java developers. There is hope that this could increase the project visibility which means more users and also keep the flow of external contributions.

For this release, the support for Kotlin was increased greatly thanks to mario-areias. An important bug fix was made for the Linux CLI. Few improvements were made to remove recurrent false-positive related to XSS in JSP, deserialization and insecure cyphers.

An effort was made at the end of this milestone to improve the descriptions. This effort will continue in the next releases. Don't hesitate to send PR for any grammar errors or typos. Ref: complete descriptions and file to edit

PS: I know that wasps (OWASP mascot) are not the same as bees. 😆

New contributors for this release

(In order of contribution date)

Full Changelog

Implemented enhancements:

  • New Rule: Detect Information Exposure through printStackTrace() #356
  • detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
  • Detect if entity objects are being returned by controllers in Spring #454
  • Apache XML RPC setEnabledForExtensions(true) #418
  • False Positive XSS in Expression Language ${pageContext.request.contextPath} #399
  • False positive XSS when using OWASP taglib #353
  • Detect Commons lang Random utilities #243
  • New Rule: Use of setEscapeModelStrings in Wicket project #201
  • Extended PredictiveRandomDetector #437 (ManWhoLaughs)

Fixed bugs:

  • Possible bug in DeserializationGadgetDetectorTest #408
  • [Error] Resource not found: java/lang/Object.class (Java 9) #365
  • detect CWE-113 with sink javax/servlet/http/HttpServletResponse.setHeader #354
  • 1.8.0 findsecbugs.sh script errors #460
  • Version mismatch in the findsecbugs-cli sh script. #445
  • Test coverage for command injection for Kotlin #428
  • ECIES integrity false positive #417
  • Error while executing finsecbugs.sh on ubuntu #367
  • False positive: ASN1InputStream identify as ObjectInputStream #170

Closed issues:

  • The following classes needed for analysis were missing for method names #440
  • false positive for CRLF_INJECTION_LOGS #425
  • Migrate from BCEL Constants interface to Const class #413
  • No class directories configured for FindBugs analysis error #412
  • Kotlin arrayOf considered safe #432
  • False Positive - JSTL Core accessing exported scoped variable storing the status of the iteration. #404

Merged pull requests:

> sha1sum findsecbugs-cli-1.9.0.zip
27b35c76f45d4da063e4a85ffebf491bc4890763 *findsecbugs-cli-1.9.0.zip

> md5sum findsecbugs-cli-1.9.0.zip
cc7c052184cc94e316908ddb58e2afae *findsecbugs-cli-1.9.0.zip

> sha1sum findsecbugs-cli-1.9.0-fix1.zip
f596059c106675ff93aa252cd99f923b480f1e30 *findsecbugs-cli-1.9.0-fix1.zip

> md5sum findsecbugs-cli-1.9.0-fix1.zip
795a404bc73493e32bf86ba4655901f0 *findsecbugs-cli-1.9.0-fix1.zip

> md5sum findsecbugs-cli-1.9.0-fix2.zip
0d92d567ebc6ec88b1ce6d61b8d40d48 *findsecbugs-cli-1.9.0-fix2.zip

> sha1sum findsecbugs-cli-1.9.0-fix2.zip
998437752ebfbed1cace3c9d73cc4644fb3f1545 *findsecbugs-cli-1.9.0-fix2.zip

version-1.8.0

5 years ago

While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.

Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)

Many built-in Java XML API susceptible to XXE were added to existing detectors. #138

Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.

Thanks to the numerous contributors who have pushed changes that were integrate in this version:

Full Changelog

Implemented enhancements:

  • Detect SpelView (Spel Injection) #400
  • False positive STRUTS_FORM_VALIDATION issues for ActionForms with proper validate method #390
  • Kotlin support for hardcode password with Intrinsics.areEqual\(\) #387
  • SMTP Header Injection #374
  • FileItem.getName() as a new source for XSS_SERVLET? #358
  • Detect hardcode password and hash based on variable name #342
  • Identify XSS cause by ServletOutputStream.print() #341
  • (Internal) Enable assertions during building and/or using find-sec-bugs #338
  • Add Paths.get() as source for Path traversal #324
  • Reduce false positive for Path traversal #291
  • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
  • [Documentation] - Add Table of Contents to Bug Patterns page #160
  • More XXE coverage #138
  • New implementation of CORS detector #313 #361 (bradflood)
  • fix for: Identify XSS cause by ServletOutputStream.print() #341 #355 (bradflood)
  • Optional API and improvement to crypto detector #350 (h3xstream)
  • Added some XXE Coverage for TransformerFactory #349 (MaxNad)
  • Add Java8 nio API for path traversal #324 #325 (h3xstream)

Fixed bugs:

  • Path traversal: Flase positive with static final variable #382
  • NullPointerException in GoogleApiKeyDetector.visitClassContext #364
  • Images on Gradle Configuration documentation page show 'Please update your account' #337
  • PermissiveCORSDetector throws NPE #313
  • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240

Closed issues:

  • Crash with spotbugs 3.1.4 #406
  • Adding New Sinks #378
  • Add a new bug check "X-Frame-Options Header Not Set" #371
  • Invalid configuration for java/io/File#createTempFile in java-net.txt #328

Merged pull requests:

74a7fc48d07c50311e052fdf4c7ac0ee675876fa *findsecbugs-cli-1.8.0.zip

version-1.7.1

6 years ago

SpotBugs first stable release is approaching (3.1.0). The build is now using SpotBugs rather than FindBugs. Nevertheless, Find Security Bugs will continue to be compatible with FindBugs as the API stays the same. If you don't migrate to SpotBugs, you will be missing the Java 8 compatibility.

What's new in this release? Many new signatures - 94 to be exact - have been added including Android SQL APIs and Struts 2 APIs receiving OGNL expression. Improvements have been made to API affected by SSRF for Play as well as J2EE API.

Special Thanks to the contributors of this release : @javabeanz, @topolik, @MaxNad, @dbaxa, @ln2v, @gredler, @dreis2211, @johnhawes, @obilodeau and @xsun12. Also thanks to @VinodAnandan for spotting a regression with OWASP Benchmark project.

Implemented enhancements:

  • OGNL injection #312
  • Generalize configuration properties with hard coded password #292
  • New rule: detect https connections with weak SSL / TLS protocol #283

Closed issues:

  • URL decode create false-negative #322
  • CRLF_INJECTION_LOGS documentation typo #299
  • Run coveralls after each build #287

Merged pull requests:

  • Fix URL decode create false-negative #322 #323 (h3xstream)
  • fixed out of date dependencies #321 (javabeanz)
  • SSRF and LFI using RequestDispatcher and URLConnection #319 (topolik)
  • Better fix of the Play 2.5.x SSRF detection (issue #307) #317 (MaxNad)
  • Few changes to messages.xml #316 (h3xstream)
  • OGNL injection + Android SQL injection + Migration from FindBugs to SpotBugs #309 (h3xstream)
  • Added the Play 2.5.x SSRF detection - Fixed issue #307 #308 (MaxNad)
  • Implement an unsafe jackson databind deserialization detector. #306 (dbaxa)
  • Fixed copy-paste slip-up in Scala code example #305 (ln2v)
  • Validate taint config class and method names as java identifiers #304 (topolik)
  • Test and quality improvements #301 (h3xstream)
  • Fix typo in documentation (fixes #299) #300 (gredler)
  • Fix typo in documentation #296 (dreis2211)
  • New detector HardcodePasswordInMapDetector #292 #293 (h3xstream)
  • Gradle build to generate the CLI version of FSB #290 (h3xstream)
  • Spring Unvalidated Redirect Detector #289 (johnhawes)
  • Fixed typos I encountered #288 (obilodeau)
  • Version 1.6.0 to 1.7.0 #286 (h3xstream)
  • Implement detector for weak SSL/TLS protocols #285 (xsun12)

Hashes:

dc733590c116fd2fb37fda434b76b7fecd90664456219cab5d135d73ca0467df *findsecbugs-cli-1.7.1.zip

version-1.6.0

7 years ago

Most of the new detectors in this release are contribution from new developers. Notably @plr0man, @ptamarit, @MaxNad and @edrdo.

The new detectors are covering a wide range of vulnerability types. See the changelog below.

In the news, a team of researcher from Google and Centrum Wiskunde & Informatica have executed a previously theoretical attack to find a first collision. If you think SHA-1 collisions can affect your application, you can look at the report of the bug Weak Message Digest SHA-1.

version-1.6.0 (2017-03-15)

Full Changelog

Implemented enhancements:

  • Unexpected deserialization with RestEasy/Jersey #198
  • Turbine SQL Injection #238
  • Detect hardcoded password in unknown API #231
  • Malicious deserialization from LDAP entry #228
  • (Dev internal) Validate the configuration files automatically #158
  • Turbine SQL injections #253 (h3xstream)
  • Adding overly permissive CORS policy detector #248 (plr0man)
  • LDAP improvements #278 (h3xstream)
  • Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
  • Add File Disclosure Injection detector #265 (plr0man)
  • Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
  • Add JavaBeans Property Injection detector #263 (plr0man)
  • Add Insecure SMTP SSL detector #259 (plr0man)
  • SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
  • Add Url rewriting detector #252 (plr0man)
  • UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
  • Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)

Fixed bugs:

  • Out of bounds mutables in ... (Assertion trigged) #275
  • Force encoding to UTF-8 on windows when generating micro-website #232
  • Freemarker description fix #230
  • Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)

Closed issues:

  • Find-sec-bugs maven plugin failed to execute #274
  • False negatives in detection of bad modes of operation #270
  • findbugs not working with Sonarqube 6.1 #235
  • Update JSP compiler #279

Merged pull requests:

  • Remove duplicated word in README #282 (jwilk)
  • Update JSP compiler #281 (h3xstream)
  • Fix #275 #277 (h3xstream)
  • Add Format String Manipulation Injection Detector #266 (plr0man)
  • Travis improvements: batch mode and verify phase #262 (ptamarit)
  • Add AWS Query Injection detector #260 (plr0man)
  • Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
  • Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
  • Persistent cookie detector #251 (plr0man)
  • Anonymous LDAP Bind detector #250 (plr0man)
  • Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
  • Adding ThreadLocalRandom detection #246 (plr0man)
  • Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
  • Update plugins #279 #280 (h3xstream)
  • Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
  • (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)

version-1.5.0

7 years ago

A couple huge improvements are bundled in this release including:

  • Better Scala support with a couple new detectors (thanks to @MaxNad )
    • New Rule: Scala Path Traversal
    • New Rule: Sensitive data exposure in cookies
    • New Rule: XSS detection in Play Framework
    • .. and many other improvements
  • Huge set of small fixes and improvements (thanks to @topolik from Liferay) #214
  • New Rule: XXE with XMLStreamReader
  • New Rule: Template injection with Velocity and Freemarker
  • New Rule: XSS detection in Porlet

These are the major new detectors but, as usual, many false positive patterns are now supported and avoided.

Quick note on the version notation: The previous releases were made on minor version (1.4.1-1.4.6) even though they include major improvements. It was never really a big concern because no major issue required to be fixed. This may have brought some confusion to some users. The release plan is still to keep going forward and not maintain older versions. There should be no benifit to keep using an old version.

version-1.5.0 (2016-10-06)

Full Changelog

Implemented enhancements:

  • Detect template usage (template injection) #227
  • Reduce the number of FP related to Trust Boundary Violation #226
  • XSS in Portlet #216
  • How to set findsecbugs.taint.customconfigfile through gradle? #215
  • Identify weak XML parser properties that could lead to XXE #209
  • Scala : XSS in twirl template #207
  • Scala: XSS in Play controller #206
  • XML parsing vulnerable to XXE (XMLReader) shortage #191
  • Path Traversal (CWE 22) - Scala Path Traversal injection sinks #223 (MaxNad)
  • Sensitive data exposure (CWE 200) - Sensitive data exposure in cookies #221 (MaxNad)
  • XSS (CWE 79) - Scala - The detector can be fooled when the .as("text/html") is in uppercase #208 (MaxNad)
  • Taint analysis bug fixes and improvements #214 (topolik)
  • Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
  • XSS (CWE 79) - Scala Play vulnerable code #203 (MaxNad)
  • CWE 200 (Information Exposure) - Scala Play vulnerable code #202 (MaxNad)

Fixed bugs:

  • FP: sending local broadcasts via LocalBroadcastManager #224
  • False positive: ResourceBundle in JSP #213
  • Out of bounds mutables in static myclass$.()V #199
  • Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225 (MaxNad)
  • Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)

Closed issues:

  • not to report null-porter dereference if there is code already throws RuntimeError #197
  • Release version 1.4.6 #195
  • Release 1.4.5 #159
  • Fix mix-content on micro-website #229

Merged pull requests:

  • Custom config file method refactoring #218 (topolik)
  • Accept environment variables spelled with underscores #217 (kuhnmi)